“Defense wins championships.” It doesn’t matter if the sport is football, basketball, baseball, soccer, cycling (yes, and it can be a little weird) … you often hear this cliché said about winning teams.

And to that, I say, “Maybe.”

I believe what is closer to the truth is that championship teams not only have a great (or very good) defense, but they also have the offense and scheme that consistently delivers when it matters most. And this combination of a strong defense paired with a solid offense, both executing a coordinated plan, creates a championship-worthy team.

Bob Kahn and Vint Cerf pioneered and built a connected digital world. As a result, nearly every facet of life has been digitized and connected online. Our personal and professional lives are all online. Money is digitally transacted. Intellectual property lives digitally within databases. Your company’s human resources database, your personal insurance plans, your identity, everything is all found online. As a result, we all willingly accept the risk of our lives being online because, as a society, we have accepted that the benefits outweigh the costs.

The problem, of course, is that there are evildoers in this world, and throughout all of time, criminals have always followed the money. In today’s connected world, money (taking many forms) is found online, and professional cybercriminals make a very good living from stealing sensitive data and money.

For a business, there are certainties when it comes to this connected world. It doesn’t matter how large or small your business may be, you can 100 percent guarantee that there will be attacks. If you have an internet presence, you will be exposed to attacks.In our cyber-connected modern world, this is truth.

The Parallel

So what?

Taking strategic direction and inspiration from Sun Tzu’s Art of War:

Know the enemy and know yourself.

To rely on rustics and not prepare is the greatest of crimes.

I interpret Sun Tsu’s message that we must understand two things when it comes to cyber threats:

Bad actors persistently and effectively execute attacks, and you are a target.

You need a championship-level team that is prepared, ready and able to thwart the enemy’s attacks.

If you as the coach know that the opposing team is going to run plays nonstop that will continually seek to undermine your business operations, will you choose to:

ignore the opposition’s attacks and pretend that they don’t exist?

do the bare minimum and send out the junior high team to thwart the professional, persistent attackers?

put the best team that you can afford in place and set them up for the greatest chance of success?

The Strategy

Let’s hope you selected Option 3. You’ve made the decision to commit to building the best team that you can afford. Now what? How do you pull this off? With limited budget, how can you effectively execute the daily grind of security operations? Do you build, or do you buy? What is the more cost-effective approach? What delivers the most value?

The success of an attack depends largely on your ability to execute a sound security strategy that combines people, process, and technology. Let’s outline the costs and benefits of the Build vs Buy option and assess what strategy may yield the most value.

The Investment Analysis

To Build:

The People

There are 2,080 hours (52 workweeks of 40 hours each) available for an employee working an average 40-hour week. Subtract two weeks of vacation/sick time, and you have roughly 2,000 hours per employee. There are 8,760 hours in a calendar year.

8,760 total hours available / 2,000 available hours per person = 4.38 people

Adding to the equation variables such as sick time, parental leave, holidays, and the sanity of employees by not completely overloading the team, I would argue that you need a team of six people to cover every hour of the year.

Depending on the organization, this can still be a lean team. In reality, it takes a team of eight or nine to truly have response capabilities at all hours of the day, every day of the year. This would be a mix of senior and junior positions – security operations center (SOC) analysts and security engineers with a director/manager thrown into the mix for good measure. And, that’s not including the most senior leader they all report to.

Indeed.com reports that the average salary of a Security Analyst is $88,120 per year, and a Security Engineer is $103,501 per year. Using the lower of the two salaries:

Regardless of framework, you must dedicate time to strategic planning, designing, documenting, and implementing the security process by which your organization will execute on a daily basis. This step must not be underestimated as this is the playbook your team will follow for a repeatable, successful operation.

While this does take time and does cost an organization money, I will abstain from calculating and attaching a dollar figure to process creation. Consultants could be used, but for our purposes, we will assume that the People costs will cover this expense.

The Technology

Next, what is this team monitoring? All of the security event data. How? Software. Which runs on infrastructure. What does that mean? More coin, sometimes a lot more coin.

SIEM software:

Software that collects, correlates, and alerts on log data is not cheap. Even the most basic SIEM solutions will cost tens of thousands of dollars, not to mention the professional services often required for initial deployment and configuration. SIEM solutions can easily cost hundreds of thousands of dollars.

For the purposes of this exercise, I will use a conservative yearly average of $50,000. I know there are many businesses that only wish they could pay $50,000 per year on their SIEM while there are others that immediately reject such a high number saying they would never pay that amount on software! Either way, let’s all be friends and call it an aggregated estimate of:

$50,000 / year, SIEM

Infrastructure:

To operate software as well as store data, we need infrastructure for compute and storage. Again, not all businesses are created equal. Taking a conservative average number of $3,000 per month to account for infrastructure costs, we recognize the following:

$36,000 / year, Infrastructure

Other:

Recruiting, hiring, building a SOC process, solution deployment, data onboarding, configuration, administration, SIEM tuning, specialty professional services, unknown costs, etc. How do you quantify the cost needed for these processes? Every business is different, but you must account for these either ongoing or unexpected costs that can and will occur. Maybe they are IT or HR costs. Perhaps they are consulting or professional services. But the reality is that they are real costs related to insourcing SOC operations. Estimate $3,000 per month.

$36,000 / year, Other

Insource Investment:

SOC Component

Qty

Annual Cost

3Year Total Cost

Human Resources: Security Analyst/Engineer

6

$528,720

$1,586,160

Human Resources: Security Director/Officer

1

$150,000

$450,000

SIEM*

1

$50,000

$150,000

Infrastructure (Compute & Storage)

1

$36,000

$108,000

Training

1

$10,000

$30,000

Other

1

$36,000

$108,000

TOTALS

$810,720

$2,432,160

*SIEM – conservative estimate. For larger organizations, it is very likely that SIEM software will be much more.

Using these estimates, it will cost an organization $67,560 per month to build and operate a 24x7 SOC supporting just security event monitoring leveraging a SIEM.

Insource SOC: $2,432,160 / 36 months = $67,560 / month

To Buy:

The Outsourced Bundle: People, Process, & Technology

The key advantage of outsourcing and leveraging a managed security services provider (MSSP) for SOC services is that the responsibility of delivering in all areas regarding the team, the process, and the technology is on the outsourced provider.

People: Let’s face it. Hiring, training and retaining SOC engineers, analysts, managers, etc. is a difficult task. Finding talent and investing in them, only to have them leave once they are trained and have a bit of experience can be a crushing blow to an organization. Outsourcing for this reason alone and not having to carry this burden can be a huge benefit.

Process: Putting together the process of what and how the SOC is detecting, analyzing, responding to, reporting on and preventing incidents takes a great deal of effort. Utilizing an already stable SOC that has its own mature processes mapped to a standard security framework adds significant value. For a business, this equates to operational efficiency resulting in an accelerated time-to-value on service delivery.

Technology: Regarding infrastructure and software, there are economies of scale leveraging a MSSP’s outsourced SOC services that distributes resource costs across many organizations. Infrastructure and software (as well as human resources) costs are shared by many customers, significantly reducing the cost to obtain, administer, and proactively manage these assets and resources per individual organization.

Lastly, and perhaps most importantly, there is knowledge transfer. MSSPs get the benefit of monitoring and investigating security events across many environments. Patterns and trends happening in one environment may resurface in another environment. Rather than having tunnel vision into a singular environment, the MSSP SOC benefits from a broad security event view across industries, resulting in knowledge gains and operational efficiency that is applied to all of its customers.

Outsourced Investment:

MSSP SOC services pricing has many variables making it difficult to assign an average number to the cost of outsourced SOC services. Thus, I have provided a range of estimated costs for a small and large business, but not the size of “enterprise” Fortune 1000 organizations.

What does this tell us? Should you build, or should you buy SOC operations? The answer is, it depends!

The numbers suggest that if you are a small or midsize business, it may be more cost-effective to outsource SOC services.

If you are a large business, the numbers are more complicated, and you need to evaluate cost centers of human resources and IT. Does HR have the ability to identify talent, hire, and retain resources? How confident are you in your IT team to obtain the right security technology, implement/execute a sound security operations process and add the team needed to support it? If not a full outsourcing strategy, would co-sourcing be beneficial? The answers to these questions will help determine whether it makes more sense to build a SOC in-house or look to a MSSP to be the outsourced partner and extension of your information security team.

Regardless, industry data suggests that as a percentage of IT spend, it is common to spend 6 - 15 percent of the IT budget on information security. Make sure you are identifying the security strategy that is the best fit for your organization and following it every hour of every day. Go build or buy the best team that you can, and let’s all be champions together. Go Team.